Securities and Exchange Commission chairman Gary Gensler is eyeing tougher cybersecurity rules to protect investors against financial loss and theft of personal data by hackers, he said in a speech Monday.
The agency’s top official is considering more stringent requirements for a diverse set of firms underpinning the country’s financial infrastructure, including publicly traded companies, financial advisors, brokerage houses, trading systems, and firms that custody client assets, among others.
The economic costs of cyberattacks extend into the billions and perhaps even trillions of dollars, Gensler said. The state and non-state hackers perpetuating the crimes often try to steal data, intellectual property or money; lower confidence in the financial system; and disrupt economies, he said.
“All this puts our financial accounts, savings, and private information at risk,” Gensler said Monday at Northwestern Pritzker School of Law’s Annual Securities Regulation Institute.
“The financial sector remains a very real target of cyberattacks,” he added. “What’s more, it’s become increasingly embedded within society’s critical infrastructure.”
At a meeting on Wednesday, SEC commissioners will consider whether to propose new cyber standards for Treasury trading platforms, Gensler said.
Specifically, the agency would bring the platforms under the umbrella of an existing rule — Regulation Systems Compliance and Integrity — which currently covers entities like stock exchanges and clearinghouses. The measure ensures firms have sound technology programs, business continuity plans, testing protocols and data backups, Gensler said.
The bureau chair has also asked staff to recommend reforms in a few other domains.
For example, Gensler suggested rules to reduce risk among investment companies, investment advisors and broker-dealers by improving their “cybersecurity hygiene and incident reporting.”
Gensler also wants the agency to consider updating the reporting and disclosures brokerages and financial advisors make to customers following a cyber breach. The agency may also update cyber practices and risk disclosures that public companies make to their investors, Gensler said.
“I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner,” Gensler said of publicly traded companies.
Lastly, he asked staff to weigh tougher standards for financial service providers like fund administrators and custodians.